If I’m visiting Amazon, I’m pretty sure that I’m getting the security I’m expecting simply by seeing Amazon’s domain, the pages I recognize, and some semblance of SSL.
It’s the lesser-known sites, I think, where this sort of “trust” (for some version of trust) matters more — random-ecommerce-site.com doesn’t have the brand value or trust factor of Amazon, so they need every (perceived) advantage they can get, EV being one.
There's a few different reasons people use EV. Most are similar to verification on other platforms, eg AirBnB, Whatsapp, Facebook (Twitter is unique as that has additional requirements beying identity verification).
- You're a smaller company, handing sensitive information, and you want people to know there's a real legal entity behind the website they're giving it to. Eg fintech startups and new dating sites.
- You're a company that has resellers, counterfeiters or other non official sites and want to distinguish you're the actual brand. Typically fashion retail is the buggest demand here.
- You simply want to match a public key to a real world identity, just like any other cryptosystem, in the same way that the fields in the CSR were checked in the 90s, prior to GeoTrust inventing DV to save money in the early 2000s. Typical case here is a lot of old school sysadmins who dislike public keys that haven't actually been proven to be owned by anyone.
An example of this?
Let's say back in the day you were the market leader and had "intel inside" (the processor). But you didn't use the 'intel inside' logo because then others could have the same sticker and the public would think 'oh ok it's the same stuff in brand X'.
Manufacturers frequently come up with different names for product features for a similar reason.
I think this also goes by the 'nobody got fired for buying IBM rule'.
For the nominal cost of the EV you don't want to take a chance that you are wrong. It can't hurt and it might help.
Additionally I bought one also because I kind of like the green at the top and I think that as a design element it adds to a page in the position that it's at.
Note: we're online retail, I don't think it matters for SaaS anywhere near as much.
For financial stuff it is apparently expected ( NL ).
I know my grandparents never see the EV certs, because their AV does TLS termination (I tried to talk my uncle out of it, but he really trusts AV). I don't see anyone I know caring about an EV cert missing for a payment provider.
The only exception I can think of would be for big national banks (Rabobank, ING, etc) for those it might be weird not to see EV because all the others have it.
Especially because mollie is often used by smaller sites. The first few times I saw the name, it felt rather sketchy that I was paying to mollie rather than whatever business I was buying from.
Specifically iDeal, which is implemented by the banks. But our checkout proces was one step before this.
So maybe it is a network effect within financials?
A comment about the carelessness of a ex employee regarding his own privacy and the reputation of the company he worked for (and yes that can be a bad thing to do, reminding somebody of that i tend to consider civil) and a hyperbolic statement regarding the accusation of 'doxing', as it just required a single google search, don't seem uncivil to me.
Not every site will need or want this but the ability should exist.
At the moment EV provides this ability. If EV is not seen as the answer then we need to have something else instead. We could decouple this from HTTPS but identity is also a valid purpose of signed certificates.
And as long as people have this attitude, things will never be secure. Users are already the weakest link and excusing them from having any responsibility for their own security is not helping.
We told users for years to look for a padlock and https in the address bar before entering passwords or credit card details to make sure it was encrypted. Now we have HSTS so that websites can enforce https without having to have the user manually check things and risk missing something. HSTS does not place a burden on the user, we took responsibility from the user and fixed the issue without having to involve them. That's exactly how we improve security.
Clicking links in emails is another prime example. We can try to teach the user as much as we like for as long as we like but ultimately there's almost 8 billion people on Earth, so yeah, good luck on that front! Instead we can enforce policies like SPF/DKIM/DMARC to ensure the sender is genuine, check the reputation of domains linked in the body and filter them, scan attachments for malicious content, prevent execution of scripts, remove administrative privileges from the user and countless other technical measures we can deploy without even having to speak to the user once.
Every time we have to ask the user to do something or to not do something, the technology has failed.
The UI was consistent with a green address bar as agreed in the cab forum. It was Chrome that broke away from this consistency.
I think we learnt that lesson with 'check for https in the address bar' and now we have HSTS instead.
or on the browser integration. If chrome/firefox decide to remove this distinction tomorrow, the whole business aspect of it will die.
Yes, without. Because this is supposed to help people, not machines, and people will never tell the difference. The ones who make the effort to understand this rainbow of colors around the url bar will not be fooled anyway (and if they are, the attack was very successful anyway).
All this said, I would like to have the name of my blog next to the green lock because it looks nice. For free that is.
For example, Paypal and Apple care but not Google, Amazon or Microsoft. So, its not a matter of costs but its usability that its practically NIL. Even Ycombinator is not using it.
As a developer, i am found that practically all customers don't care about the URL, in fact, most customer don't see the url at all.
All EV certs must have publicly searchable CT records, and go through reasonably complex validation processes involving some manual human validation processes, in addition to the usual checks.
This means that:
1. The barrier to getting an EV cert is higher - and the probability of a misissuance is lower.
2. If a misissuance does occur, it should be very easy to find out - by regularly/automatically searching CT logs.
If you choose two or three CAs whose EV programs you trust, you can pin against those CAs’ EV roots in your applications (e.g. a mobile app published by your company).
This is an effective process to reduce the risk of MITMs, and even continues to work as the CA changes intermediates etc (assuming they have separate roots for EV).
There isn’t a whole lot of benefit in browsers, unless you have preloaded pinned certificates there too (which many major sites do).
Also, as an aside, if anyone is looking for EV certs, I have always wholeheartedly recommended CertSimple. They’re very quick, aren’t too expensive, and have good support. The certs are issued by DigiCert. We use them for https://cuvva.com
If you are going to pin your apps to a CA, you have quite a few other options. For example, you could cross-sign all your certs by your own root CA cert and pin to that in addition to pinning to the other CA. At this point, you don't need to trust the CA as long as you trust your own root cert.
If you’re going to do cross-signing, then you do need to essentially operate your own root program - assuming you want to keep your own root secure. You’ll also then presumably need to serve an additional cert (or two, if you’re keeping your own root offline) in the intermediate chain so it can be validated by the client.
For the pinning in a mobile app, would you still depend on the PKI or not just pin against your own private CA/certificates?
I do still think the barrier to entry aspect of EVs will always be very helpful. In a world where you can get a DV cert in under a second (from LetsEncrypt), if your DNS or domain registration was to be compromised, you’d have no MITM protection at all until you managed to get it revoked - which is likely to take days.
It’d almost be helpful to have a system where certs have to be requested (publicly on CT records) a week in advance or something, so issuance can be protested if something like the above did happen.
Google.com has a OV certificate, where identity is matched to google.com but this isn't shown in the browser. it's a similar level of verification as EV but without the UI. Note Google have a lot of user generated content (eg, AMP sites) hosted on google.com
YC's website isn't an example of great tech.
(See bio/disclosure in my other comment)
This did actually take me away from the checkout of the website I was on, so it kind of broke 'Don't make me think' for me in that instance.
What if someone else had managed to register Apple.co and started using it nefarioualy? Having an ev cert we can see if a site is actually an Apple Inc site or not.
There is more to tls/https than encrypting the tunnel.
If apple.co was doing nasty things it'd also be blocked pretty quickly with things like Safe Browsing which is great.
Eg, you see an improtant update to a ToS you need to accept or a service you use will be stopped. You click the link, log in, and your browser says...
> This is the first time you've visited this site. The owner has been verified as amazon.com
or, for EV:
> This is the first tim you've visited this site. The owner has been verified as Apple, Inc.
for a DV phishing cert
> This is the first tim you've visited this site. The owner has been verified as www.google.com-swag.ph
Unfortunately browsers don't make certificate information available to users, and are uninterested in whether users understand what they're connecting to (https://certsimple.com/blog/browser-security-indicators).
The same thing applies to mobile Chrome poor identity display compared to mobile Safari.
This doesn't mean we should stop verifying pubkeys with EV. It means browsers should improve their UI or let others do so.
I can't seem to get away from two key things that put me off and they are requiring the user to have some pre-existing knowledge of the name of the legal entity and then having to manually notice and verify that information on each page.
Let me list a couple of scenarios to see if I can better articulate my thoughts.
1) The user wants to buy something from ACME Corp so they search for them on Google and find acme-corp.com listed as their site. The user visits the site and sees in the EV indicator that this domain is indeed owned and verified as ACME Corp [US], the company they wanted to interact with. In this scenario the user is required to have pre-existing knowledge of who they wish to visit the site of and then manually verify that information.
2) A user is browsing the web and finds a product on a website that they want to buy. They check the address bar for https and also notice an EV indicator that says Bargain Central [UK]. Without existing knowledge of who the company is, what value does the EV indicator provide?
Maybe I'm missing something, and please do feel free to point out some other user scenarios, but #1 requires the user to have existing knowledge which is a pretty big burden to place on them. I can't really think up a scenario these days where someone would tell you a company name to buy something form or visit online but not their website address.
With #2 it seems to provide no value because the user has no reference as to who that company is. Given the information in the EV indicator the user would need to go and lookup information about the company somewhere else? We certainly can't assume that they're trustworthy just because they have an EV cert!
I honestly don't think the biggest problem with EV is browser UI. As I detailed in the linked article there are many scenarios when EV will never show because of AV/interception/proxies/etc and there's nothing that can be done about that. Even if all browsers had a consistent UI, my biggest concerns would still remain what they are now.
In the proposal, the user doesn't know anything about the EV indicator.
The browser simply prominently shows the user the highest level of identity information on first POST (maybe with a two week delay on fresh browsers).
Do you trust:
- Apple, Inc. (United States)
The proposal is particularly neat as it doesn't discriminate against well known domains with DV, just shows users what the cert proves at the time they most need to know.
I could make this in a day, and prove it improves end user security, if Ryan (or anyone else) would let me.
(I'll address your scenarios in another comment, just wanted to clarify the identify-on-first-POST proposal first)
- Other Company [United Kingdom]
Unless you already know you wanted Other Company [UK] (pre-existing knowledge) the EV indicator really doesn't help.
> This is the first time you've visited this site. The owner has been verified as some-company.com
"OK. Have I heard of these people before? The dash is a bit weird. Not bad, not good - which is reasonable for site that isn't telling me anything."
> This is the first time you've visited this site. The owner has been verified as Other Company [United Kingdom]
"OK cool. I live in the UK and I know who is handling my data."
> This is the first time you've visited this site. The owner has been verified as some-company.com-fake.uk
"Euw gross. I'm out of here."
"I know who is handling my data", really? You know their registered name but nothing about them or who they are, where they are (in the country), are they big/small, reputable, been established 2 days or 2 years, have 5 staff or 500 staff, nothing. In all honesty, the browser presenting that to me in the address bar has absolutely no value. It's a simple text string, how can it?
As you live in the UK, and you noticed business you thought was local or US based turned out to be from the Philippines or Russia, would you care? It's essential the country be included.
> You know their registered name
You know more than that, you know the specific legal entity you are dealing with - the name is part of that, but it's what the name signifies. It's accountability, exactly like every other verification platform: Instagram, Facebook, whatsapp, GPG + university directory with keys, GPG keybase. Oddly enough the verification process for verifying individuals on these platforms is almost identical to EV's.
The only place we trust random pubkeys and a network address is the web, and that's because GeoTrust wanted to save money in the early 2000s.
> are they big/small, reputable, been established 2 days or 2 years, have 5 staff or 500 staff
You are confusing identification with approval. See: every platform listed above (except Twitter, which does actually confuse them and in currently in a heap of turmoil over it). Also your passport - it doesn't mean you're a good person, it just means we know which person you are.
If I "thought" it was local or if I "knew" it was local. The information is only useful if I knew it was local (prior knowledge) and EV UI tells me it's not (and I notice, and then act accordingly).
> You know more than that, you know the specific legal entity you are dealing with - the name is part of that
No, I really just know the name, because that's all that's in the EV UI unless I go digging...
> it just means we know which person you are.
And a DV certificate tells you which website I am, scotthelme.co.uk, which is what you typed into the address bar.
At least in that case the user knows that they're on the website of a real, legal entity in the UK, and not, for example, a phishing website based in China.
This, to me, is the main value proposition of EV certs. Not a huge deal of course, but significant nonetheless.
I'm not sure users care about domain names in search results (this is measurable) so these two scenerios have similar cases:
They see the owner is ACME Corp and in this case know they're dealing with a site whose legal identity has been vefified, in their own country or one they trust.
Not someone who registered a domain name, not someone in the Phillipines.
Sure, if by "Browsers" you mean "the browser made by the Ad Network company that has a vested interest in people using web based computing for everything they do, regardless of security concerns".
My browser (Safari) shows me the domain I'm connected to for DV, and the verified organisation name for EV, and the certificate details are a click away in either case. If Chrome doesn't provide some of that information, thats a fault against Chrome, not the concept of Certificates.
Safe Browsing covers malware, and.. maybe phishing?
There are plenty of other things bad actors can do while impersonating well known sites.
If twitter compromises your account details, you can change your passwords. If your (E-validated) electronic banking service compromises your account details, you can sue.
EV is laborious for social reasons (and some technical reasons ofcourse, nobody likes ASN1 extensions etc.), your effort to secure and validate a service is proportional to your stake in the transaction.
To quote wikipedia:
>An Extended Validation Certificate (EV) is a certificate used for HTTPS websites and software that proves the legal entity controlling the website or software package.
: Not really important for this discussion, but slightly relevant: For some reason Twitter uses both EV and non-EV certificates depending on geolocation.
ps: I'm getting some downvotes for my view on this, but little in the way of arguments. I'm happy to be corrected. Am I coming off as an asshat on this?
I don't think you can make the argument that businesses don't adopt EV because that'd expose them to legal risk. That's just doesn't fit into my understanding of how the law and courts work. I'm not aware of any evidence or precedence that would support this, and the EV guidelines don't mention anything of this nature either.
Not to sound too harsh but I don't care about making the user 'feel' anything. I want to make them more secure.
An ev-cert tells the user that the operator of a site has taken pains to make themselves legally accountable, and have confirmed details about juridistiction, legal entity, liason, etc. to the CA, which in turn connects cryptographic non-repudiation to legal non-repudiation (i.e. a signature).
All this is to state that with EV, every http response is basically signed and dated by the legal organisation that operates the site (grossly simplified, but sufficient for this argument). This signals where and how any dispute is to be arbitrated and settled (officially, and possibly legally), and conversely how seriously the security and integrity of the interaction is considered.
The ev-cert acknowledges legal exposure, and therefore it also informs users of legal exposure.
I see what you're saying but I can't see where this would happen whilst the user has the browser window open showing EV information. If Twitter leaks your data you'd likely get an email notifying you or watch it on the news and then take action as a result of that.
The EV-cert doesn't help twitter or facebook (other than making them seem more trustworthy), it doesn't provide any extra cryptographic or operational security, it helps the user better ascertain who is accountable and where when the shit inevitably hits the fan.